Webinar Replay – Fraud Awareness: Tips and Best Practices
Hello, everyone, I'm Rachael Sampson, director of Key4Women here at KeyBank, and I want to welcome you to our program today.
2020 was a record-breaking year for fraud in the United States. Cybercriminals are opportunists that are known to try to profit from disruptive climates like the global pandemic into fraud individuals in businesses alike.
According to the Federal Trade Commission, consumer losses, due to fraud total more than $3.3 billion in 2020. That's up from $1.8 billion in 2019. That's a tremendous increase, and according to the 2021 identity fraud survey by Javelin strategy and research, total combined consumer and business identity fraud losses in the United States climbed to a staggering $56 billion. That's 56 billion with a “B” dollars. Unbelievable.
We saw rampant unemployment claim fraud with estimates of more than 63 billion according to the Labor Department Inspector General's office. Cybercriminals in fraud are real threats for individuals and businesses, but there are actions you can take to be better protected. Today we've gathered a few experts to help us understand the trends, prevention tips, and best practices for yourself, your business, the children in your life, and elders in your life.
We look forward to a lively discussion today and we welcome you to use the chat box throughout our program to answer any questions you may have.
Now, it is my pleasure to introduce today's speakers.
Joining today are Tammy Gedetsis, security education and awareness manager at KeyBank. Tammy has over 20 years’ experience in financial services industry and is responsible for monitoring industry fraud and security trends to develop programming that helps educate and arm our employees, clients, and communities, including steps and actions they can take to stay better protected.
Jen Martin, head of fraud at KeyBank, and vice chair of the Consumer Bankers Association, fraud management committee. Jen has over 23 years of progressive leadership experience and technology data analytics and operations and criminal justice and financial services. In her current role, she is responsible for leading the overall KeyBank fraud prevention strategy to help continually evaluate and proactively strengthen the tools, technology, and training necessary to keep Key data protected.
Stephanie Breen, intelligence analyst with the Federal Bureau of Investigations, specializes in white collar criminal investigation. IA Breen has represented the FBI and multiple working group trainings and conferences across the United States and in Europe and serves as a leader of the Cleveland division virtual currency working group and social media exploitation team. She is also an active member of the Cleveland division virtual currency task force, bankruptcy, fraud working group, medical marijuana working group, social media cell, and the nationwide corporate broad response team.
Ladies, thank you so much for joining us today and at this time I'll turn it over to Tammy to begin our program.
Thank you so much, Rachael. We are so excited to be with all of you today. As Rachael talked about, the numbers are staggering, and it is really something. You honestly can't turn on the evening news without hearing something – a new story that's happening.
So really, what are we going to talk about today? So on today's agenda, we're going to tell you about what is fraud, what are the things that you should be thinking about. What are some of the common fraud scams that we're seeing come across our desks that we're talking to our clients about. What are those fraud trends that are on the rise? What are the things we're starting to see increase? And then, most importantly, fraud prevention – there are things that you could be doing each and every day to help protect yourselves and your families around these different fraud scams that we're seeing. And, of course, as we mentioned, throughout the session, please feel free – we want this to be engaging – just submit those questions and we will have time to go through those.
So with that, I'm going to turn it over to you, Jen. Can you talk to us a little bit? Fraud is such a big topic, right? And I think, when people think about it, sometimes we can't wrap our minds around it. So maybe talk to us a little bit about what is fraud.
Absolutely, and thank you for having me here today. I'm really excited about being with this forum, especially of women as moms and heads of our households and business owners.
We are on the front lines of fraud every day and fighting fraud and I always like to start that we're all deputized to fight fraud in our own way for ourselves and our families. We are our first line of defense to thwart these bad actors, and we need to be aware and so I'm so glad to have all of you here today to learn more about how to do that.
So, fraud is really any wrongful or criminal deception intended to result in financial or personal gain, but mostly it's financial gain. So, it is bad actors utilizing a variety of different tools to take money from innocent people to convince people to use your accounts to funnel money through. It's traditionally a financial transaction that we think about with fraud, and a lot of times that is to build their own personal gain, but also organized crime. This money is not typically go to good. It goes to a lot of different types of criminal behavior and they're able to do what they do because they monetize that behavior through fraud and really taking advantage of situations.
You think about COVID a year ago in March, as that was starting to really erupt. That was just like the perfect storm for bad actors. They're always looking for that opportunity to attack and to take people when they're maybe weak or they're concerned. And so initially, almost immediately, we saw personal protective device fraud. So, fraudsters are saying, send me (we saw with states) millions of dollars, because we can send you personal protection devices and they didn't have it. They were fraudulent companies, but they immediately swarmed it on that.
And now we're seeing it around vaccines and unemployment so COVID, in of itself, created this huge opportunity for bad actors to do what they do. And so that's why we saw those increases.
More than ever, we have to be really hyper aware of some of these different vectors of how we get to front and some of these we're going to click into a little bit deeper in the presentation, but we see this. We see the phishing emails and you click on a link or you get the weird text from a bank you don't even bank with that's telling you to click on a link. You get that phone call, all those different spam calls, asking you to take action in some kind of way.
Unfortunately, a lot of people use this same username and password across multiple login sites and you definitely don't want to do that because you have bad actors then that compromise. Hilton was a big one and it was interesting when Hilton had a data breach, and they said, “Oh, but no PI was exposed, but just usernames and passwords.”
Well, that is the most important PI now that you have because bad actors know that you don't change those usernames and passwords across all your different sites. And they use bots to use that to test your login credentials or across a variety of different sites so sometimes you'll see the transactions from places that you've never transacted with before. How did that get exposed? It's likely through your username and password.
Think about any place that you've got personal information can be used and groomed by bad actors to use again. And similar, I cringe every time I see one of those Facebook posts with all the questions and people asking the questionnaires. Those are great targets for bad actors to go and cull a lot of personal information. Think about it, even if you don't answer those in your Facebook feed, they know your child's name, child's age, they roughly know your age. Those are all you think about the out of wallet questions. Those are all things that we expose out there that can be used by bad actors against us to facilitate some of these different types of fraud on fraud vectors. Now I’m going to hand it off to Stephanie for our next slide on our most common fraud scams.
Thank you so much for having me. This is such an important event and I'm so passionate about this subject and being able to share this information with you all to help strengthen our understanding and our knowledge to keep those that are so important to us safe. So, thank you so much.
The first one that I want to talk about is impersonation, which was so huge, especially over this last year again with everybody being at home and everything was so virtual, or you had so many different phone calls that were coming through. A lot of the crime that we saw at the FBI would be fraudsters. They'll call someone saying that they're from the WHO or they're from – this one has come up quite a bit recently actually – they're calling saying they're from Netflix and that your account information needs to be updated. Two people on my squad got this call and one of them got hit and she gave her information and the other one didn't because he hasn't had Netflix in over a year. I mean, these are very well-educated people just like you and they still got caught up by something as simple as getting a call from Netflix.
What has also happened quite recently has been people have been impersonating IRS agents, especially around tax time this year saying that they're calling from the IRS and there are issues with their tax returns or there are issues with the refund that they're supposed to be receiving. So that is just something that needs to just be aware that.
The IRS or Netflix, or an insurance company, or your car warranty, they're not going to call you and say, “You need to give me your Social Security number or you need to give me your credit card information.” They're not going to ask for that information directly over the phone. If they need information from you, first of all, you're most likely going to get a letter, but you can look up safety protocols on the IRS website and that's the safest way or Netflix's website or your car warranty, whatever it might be.
If somebody is calling and asking for your PI, your personal information, the best and safest thing for you and your loved ones to do is to look up that company or go directly to that company and call their customer service line. That way you know for certain that you aren't giving out your personal information to fraudsters.
Another common fraud that we are having issues with is the romance or sweetheart frauds again. That's so big over this last year, because everybody is so lonely sitting at home, and it's so hard because with these types of scams, victims get hit twice. They get hit once in the wallet and once in the heart, which is so true. And it's really heartbreaking even just to think about that and all of the irs victims that are parents and grandparents and loved ones that are sitting in nursing homes that haven't been able to see anybody for the last year, over a year. Now quite a few people are getting on the Internet or getting these phone calls.
We have had so many large cases. For instance, we had a woman who was in Houston. She's a business owner for many, many years. She lost over $60,000. She had been talking to this gentleman for over three months before he had even asked for money and the way he asked for money was saying that his business is in Europe, and they are working on this huge bridge product project, but they just lost all of their funding and they need an investor and would she'd be willing to invest in his company and she did, like I said, over $60,000, and even after he was convicted, and in jail, she still didn't admit to him being a fraudster or defrauding her. In her victim statement, she said, if he did scam me, when it had already been proven that he had scammed her, which is so heartbreaking.
We had another – we actually have had two business owners recently that we have open cases on, so I can't give you too much information – but we have two different cases, two different business owners who have been talking to somebody for several years. They've known these people, been dating these people for several years, but they've never met them, which is very common. There's always excuses for not meeting them, always asking for money for business projects or investments or to help them with a medical issue. They've lost thousands of dollars, and again, these are business owners with successful businesses who end up becoming even unwitting money mules which can get you in a lot of trouble because that's a part of money laundering in general and a money mule is someone who they asked to send you a wire. this fraudster will say, “Hey, I'm going to send you this wire. It's coming from a company. Can you just send it to my bank account or can you buy a crypto currency for me? I'm having issues with my bank.” You may say, “Oh, yeah, I trust you, of course.” And unfortunately, that is what a money mule is. You take in money for somebody else, and then you send it back out, and then you end up becoming monitoring these elicit proceeds for this fraudster.
It's hard to talk to these – people who are so engrossed within this relationship – but it's definitely something to look for. And there are so many warning signs that things seem too perfect: if they're asking for money, If they're asking you to leave a dating service right away, and they always have excuses not to meet, poor grammar, sending passports or documents to authenticate themselves. These are warning signs that you can help your loved ones with being able to recognize right off the bat.
This is Stephanie, can you talk to us, Jen, maybe a little bit about a couple of the other ones that we're showing here – the tech refund or the debt elimination.
I know you talked a little bit already about phishing, that they can send you any types of links or anything, Jen, it's fair game. Phone call, text, message, email, just be leery of who's on the other side of that kind of phone call. I talked to my kids about stranger danger when you think about in person, but we have to think about stranger danger when we're thinking about who's on the other side of that transaction. So, Jen, can you talk to us a little bit about some of the other ones on this most common fraud slide?
Absolutely. And I have that same conversation. I have an 8th grade son and an elderly mom, and I have the same conversation with both – don't click on any links. Don't take that phone call; be really wary. And my son who's in a lot of social media, be wary of people reaching out to you and trying to befriend you and asking you to open accounts in their name, or do they want your Social for whatever reason? Be on the lookout for all of that kind of behavior.
And then the next click in as we look at that elimination of our loans. They are impersonating a reputable debt or loan agency and they're requesting all of your information to give you a loan or eliminate all your debt – seemed a little bit too good to be true. I would say this is not just a call, but there's a lot of malicious sites out there. So, you might think that if you could type in a site that you think is legitimate, and then when you go into it, like the first one that might pop up might be a Google ad. And if you click on that, and you really look at that email address, sometimes that's not where you intended to go. And the screen looks a little bit different.
A lot of those are malicious sites, so that's bad actors intending to have that site look really real and authentic so that you put in all your personal information. And now they can use that to go open a lot of accounts in your name, or do what they want to do with all of that PI. So you always want to be really cautious about where and how you share your personal information, especially if it's anything about we're going to give you money for debt elimination or a loan.
And then, the antivirus tech refund. That's been out for a little bit. That's a lot of proactive phone calling, usually foreign, and they're saying, “Hey, there's a virus on your computer, and I can help you get it off or it's on your phone device. We were able to track it to your phone device. And if you pay us, we can help you get rid of that virus.” Or, “Hey, you know, you're eligible for this tech refund, or any kind of refund, and you just need to give information.”
The lottery scam really still hits a lot of elderly people, unfortunately. You've won the lottery, you give us a few thousand dollars, but then you're going to get all of this money. Unfortunately, I see that take elderly a couple times a year.
I really want to emphasize those romance sweetheart scams. They are so hard. And we're still in the increase that we're seeing.
Don't buy puppies on the Internet. Anything that you can buy on the Internet doesn't actually exist. Puppies were big for a while and cars. They were making legitimate purchases online if you can’t see or zoom – See the product, know the person, find another means cause it's likely fraud. And these scams are easy and so they just keep replicating out there.
Moving on, we talked a lot about the different kinds of common things that we're seeing, but there are some things where we're seeing kind of some increase and in them.
And Stephanie, can you talk to us a little bit about the FBI published a lot of information on business email compromise. We might hear it called BEC because it just doesn't go away and maybe talk to us about that. And I know you mentioned a little bit earlier virtual currency too; maybe talk to us about those two topics and what you're seeing and what you would advise.
Sure, so business email compromise – often those things happen with a sense of urgency or creating a slight panic in someone. So, a lot of times, somebody who's in perhaps the accounting department who has control over checks, they might get an email from the CEO or something of that sort. And what you'll see is that the email is so close to what the actual proper email is and they don't realize because they're looking at it so quickly and they just see the last name or the first name. I know who this is and they don't continue to look on the email. Or somebody has hacked into that email, it could be either/or, and you'll see an email saying send me $500,000, I need this account, I forgot to make this purchase, or send this money out or something. I need it done at this time, in an hour, it has to be done. Protocol will say I need to get approvals or whatever, but then they keep getting pushed – no, I need this now. This is urgent. We have to get this. We're going to lose this account, whatever it might be and it creates a panic. Then the protocols tend to go out the window a little bit in these panic states.
And that's where mistakes can be made, and that's a problem with the business email compromise. It's always so important to stress and to have these protocols in place that no matter what happens, these protocols always need to be followed. If somebody's pushing this urgency, there needs to be a protocol for urgency or something set up within your business so that you don't get caught by $100,000 all of a sudden being sent out of your account and you didn't authorize it.
In the sense of virtual currency, the popularity of it is just increasing and it's so important that you know what you're doing when it comes to virtual currency – that you are going through reputable exchangers, that you are understanding that virtual currency is a very volatile market. You have the ability to make 10% gain, 15% gain in a day and you could also lose 15%. So when you're going into it, you have to understand that it's going to be a volatile market.
With that being said, though, there are banks that are starting to get in on the virtual currency train. There is a bank called Quontic Bank that just launched a Bitcoin rewards checking account where you get 1.5% back in Bitcoin purchases made with your debit card, which means that there will be other banks, and there will be other credit cards that are starting to come through. It's just so important that any sort of virtual currency you do, make sure you're using a reputable exchange – Coinbase is very reputable. They work with law enforcement quite a bit. That's the one that I use personally.
Do your research beforehand. There is so much information out there about virtual currency and VCs are a new, up-and-coming thing with the digital fine art. Doing all of your research first is so important and any questions that you do have, you're welcome to reach out to me. You're welcome to reach out to any sources that you know of that do a lot of research in their virtual currency as it's very important to know what you're doing before you get into it and to understand how it's not something that's stable. It's just a very volatile market as well.
Do you want to talk just a little bit, Jen, about unemployment? I know you mentioned it a little bit earlier. I don't think any of us can escape the news stories that we've seen around unemployment frauds. Do you want to talk to that a little bit?
It was a really interesting use case again coming out of COVID launching. Millions of Americans are getting into their homes. Obviously, widespread unemployment – government creates programs to make sure that all of us who were displaced from jobs could have money and income to prevent what could have been a really catastrophic financial situation for the country. All really well-intended programs to make sure that Americans had what they needed in the midst of the pandemic.
But, again, our bad actors look to glom on to opportunity, and here's billions of dollars of opportunity coming into these states where historically, there had been no fraud. State unemployment agencies have always had several layers of control to make sure that person is who they say they are, they call the employer and make sure that they're unemployed – there was a lot of checks and balances in that process. Historically that prevented fraud.
What happened was some of the new programs were launched and then just the sheer volume meant that states were overwhelmed by that volume and a lot of those up-front controls had to go by the wayside, along with the spirit of getting funds out to the right people. But, unfortunately, bad actors used it as an opportunity to steal identities and collect those funds for themselves. And it happened in a massive scale.
So, we're seeing those numbers come out of states now and the billions of dollars where bad actors very easily – I was on the inside and we talked about how they – mined a lot of this data for a while. I think there were a lot of folks just waiting for the right opportunity to use sleeper mule accounts. There was a sense that a lot of this had been set up for a little bit and it was lying in wait for the right opportunity which this presented in terms of using mule accounts that were maybe sitting out there, our credentials that you were about to use or now you had a use case to use those.
If you were in the Equifax breach a few years back or if you've got notification of a lot of breaches, you really want to be hyper aware of your identity and especially this scam where a lot of identities were used to collect unemployment and you may not know until you receive a 1099-G tax form from your state saying here's your tax liability for all of the unemployment you received when you didn't.
A lot of states now are waiving those, they're taking phone calls, they've been overrun with people who are now identifying that they had no idea that their identity was stolen until they got this tax form. It's going to take a minute to work through all of that. And people reach out to me saying I've been trying to call my state for days and weeks and I can't get into them. I'd say you keep pressing because you have to get in touch with the state.
If you have been impacted, you might want to consider freezing your credit. You definitely want to have some kind of ID notification company, IDnotify is one company, but a credit monitoring or personal identity monitoring service that will alert you if your identity is being used. Some of those are great because they tell you if your telephone number has been breached or your email has been breached, and it will tell you when it's been breached, and a lot of those tools have become more sophisticated. I noticed with my recent Apple iPhone upgrade that tells me I think this email and password combination has been used in a breach. Do you want to change it now? All of those things help us to proactively protect our identities. But I think this unemployment fraud is going to take a few years really to work itself out because it was so widespread and to unravel.
So, that's kind of a perfect segue into the next topic: fraud prevention. I know I've heard you and Stephanie sprinkle in some of these tidbits, but maybe for the audience, let's talk a little bit about things we can all do to help prevent fraud.
Again, I'm going to emphasize you are your own personal law enforcement officer. All of this fraud is preventable with the right controls and awareness and I love this.
First, slow down, review, ask questions. Trust your gut. Women are really great about this. We get that Spidey sense of something's not right; we're taking in potential danger to us or our family. I think we really excel at that and listen to that intuition.
If you're on the phone with somebody and they're asking you for personal information, do you really want to answer any questions from anyone who calls you? Honestly, I really like Stephanie's advice. Just hang up and actually call that entity that is purporting to call you and once you get on their customer service, I'll tell you, you’ll know if it's real or not.
I don't even really answer most calls; unless I know you, I’m not picking up the phone. And I really want us to encourage our elderly on that as well. Because again, that lonely factor, they kind of want to talk to somebody and then they're really susceptible to do whatever they're told.
And it's totally us as Americans, I think this is a cultural thing for us. We're super friendly and so we don't like to hang up on people. Hang up – just hang up.
And even if it's KeyBank, if KeyBank is calling you and asking you personal information – that will never happen – I am telling you, hang up on us and then call us back. Call back to the customer center, because we can tell you if we were really intending to reach out to you or not.
Never feel afraid to just hang up and validate and review all of your accounts like this. This takes a second. Pop open your app, your financial apps. Just make sure that you're really aware because time is of the essence. Let's say you did take that call and you gave out a bunch of information and now you're concerned, especially if you gave out bank information.
Call your bank right. I can tell you just from what I see every day, time is of the essence. The faster we know, and especially in business email compromise, is the faster we can secure the funds and get them back or stop the transaction or try to make a recovery. Right? The faster we know to help, the more likelihood is that we can recover those funds.
And then use every account alert that is available to you to just be really aware of any transactions going on in your accounts, especially if you ever see an erroneous penny transaction. That's a test transaction that you might see from PayPal or any payment source. If you see an unknown penny transaction, definitely call your bank because we can put controls on the account that could stop the next one. If you see a penny one, a large dollar transaction is coming next, and we can prevent that.
Again, really utilize your strong passwords. Don't write them down, don't use them across applications, especially financial applications. You really want to make sure you've got a unique username and password across all of your financial applications in particular, but really every application.
Always think before you click. Just don't click on everything. My dad – there just was not a link he wouldn't click on. I don't know how many times we had to clean his computer off of whatever virus he picked up.
What happens then is that you get malware on your computer, and now they have access. When you log into your online banking, now they've got that username and password and all of your account information. When you click on those things, sometimes it may not look like anything’s happened, but behind the scenes, malware has been applied to your device.
Really use your antivirus systems – make sure you have those in place and installed and updating consistently. When those alert you, follow through with those alerts.
Stephanie, anything else I forgot on that list? There's so much, right?
Oh, there's so much. No, you did not. That's all great advice, honestly. I cannot emphasize strong passwords enough. My husband often makes fun of me because he'll see my password and he asks me how do I even remember that? That makes no sense and that's the point. No one's ever going to guess this. It makes no sense.
Another thing about the passwords too, is password vaults. There are free ones out there like LastPass. They're actually password vaults and they help you create those login strong passwords. But a great barrier exists with people who wonder how are they going to remember all these passwords? Like you, Stephanie, my husband hates me when it comes to the Netflix and the Disney account, all these accounts we have, and he asks what's the password now. When I tell him, he gets mad at me and asks me what am I doing. I say we talk about this all the time and I can't be the person that doesn't follow my own my own advice. But that's a good way to do that.
Another thing I found was interesting when somebody told me made a light bulb go on – create unique answers for security questions around websites. We use a bank or other websites. We don't know what the answers to those security questions are.
Lie. Create something when it asks for your mother's maiden name. Don't put the real answer there because the fraudsters can find some of that information. Lie about it.
Another thing about password vaults is you can store some of that information in there too. You can make up the answers to your security questions; you just have to know what those answers are and make sure you're not putting those types of things out on social media because that's where they're picked up. So just lie – make up stuff for those unique answers but just remember what you put in there.
Stephanie, we talked a lot about external fraud and things that you should be thinking about to prevent that, but you also need to be thinking about insider threats. Can you give us some insight on things that these businesses should be thinking about from internal fraud that could be happening within their businesses?
Absolutely, it's so important to make sure that not only are you protecting yourself but you're also on the defense on the inside as well. Hiring the right employees is so key, taking the time to find the right person, and arranging surprise audits for people such as accountants or bookkeepers who know that an audit eventually is going to be coming. It helps to keep them more honest, but it's important to do it all across the board for safety measures.
It's funny to me, but it's so important to insist that employees take vacation. The reason this is so important is because people can get so burnt out and they can start becoming angry and build up this sort of aggression inside. And then they get an attitude. Before you know it, they are willing to do whatever. They get in a depression and they will do whatever it takes to get more money to bring their grudges to light and to get their revenge or whatever. It's just so important for people to take time to step away. This is not only for their own attitude, but so that you can see the work that they've done and to line it up to make sure that they're doing what they're supposed to be doing. You can check that the ball isn't being dropped and that they're not hiding things from you as the owner, or from the department, when they're gone. If somebody does take their vacation and they're hiding something, you're going to know pretty quickly if the ball starts to drop in multiple locations. Or when you're talking to customers, they're going to say that so and so told me this.
So, it's good not only for their mental state, but for you to see if anything is being hidden. That helps to create this ethical work environment. Make sure that everybody realizes there's a no-tolerance culture for that.
It's so important to make sure that any statements like bank statements, credit card statements, stuff like that, are mailed to a post office box. If somebody in your business is hiding something from you and they're the ones that get the bank statements, they can alter them or they can keep them from you and that's not something that you want. You want to be able to have that kind of open air for things and you look at them first, keeping your accounting duty separate and making sure that you have a CPA that's outside of the company so they can have a secondary look at everything. It's just so important.
Rachael, I'll turn it back over to you.
Sounds great. Thank you so much ladies, for the detailed information. It continues to amaze me the various ways that criminals are so determined to defraud individuals and businesses. I know I learned a lot and I have a few takeaways and some cleanup that I need to do on my end. I'm sure the audience does as well.
Before we get started with our Q and A portion, I want to just make sure to point out that you take a moment, if you're not already a Key4Women member, to use the link in the chat to join our network, or the QR code on your screen to join more than 7,000 like-minded women and allies across our member footprint that will give you access to the tools, resources, and programming like we are participating in today.
Also, we do have a post-event survey that is listed as well. And we want to make sure that you complete that because that really helps us to make sure that we are continuously taking your insights and tailoring our programming to your needs.
Also, we are very excited to announce that on July 14, we will be talking about power moms and how executive mothers navigate work and life with “New York Times” bestselling author, Joan Lublin, the former management news editor of “The Wall Street Journal,” so that is one I am definitely looking forward to. So I hope you all can join us.
We've got a pretty active Q and A chat so I want to just get right into it and talk. Can you explain at a high level what KeyBank does after it's notified by a customer that they were the victim of a fraudulent wire transfer that they sent funds to the wrong account? What information should the customer be prepared to provide to help KeyBank?
We're going to want to know all the information about that transaction that you sent and a little bit of the backstory. Likely what we see a lot is that companies have a supplier that informs them to not send their payment from their invoice to this former account but send it to this new account. And if you don't validate that the payment instruction is really changing and call that supplier, now you've wired funds to this bad actor. We're going to want to know how it happened and the details of the account. Obviously, we know the details of the transaction.
We're going to tell you to get in touch with the FBI and file the IC 30 and I want to let Stephanie talk about that process a little bit because we're going to need to get them engaged, and then we're going to reach out to that other institution and submit what's called identification or a hold harmless which says please secure those funds and send them back to us. We'll hold you harmless because in many cases they're banking the bad guy or their mule. And so we hold them harmless to get the funds back. We'll send a wire recall.
We'll do all of those things, but unfortunately with wire, money moves fast and so even if we do all of those things, really sophisticated, especially BEC, criminals know to do it late in the day when the wire rooms are closing so they can get the funds out but before a subsequent recall can get called out and they know to get it offshore fast. That's why we want you to get that IC 30 and have all of your documentation in order because the people who do this will move the money very quickly so it's harder to pull back.
Stephanie, if you want to talk about that getting in touch with the FBI.
Sure, IC.gov is a great website for victims to be able to file an online complaint or if they suspect any sort of crime from either the victim or if there is even a third party. You just go to IC3.gov. Right at the top, it says, “file a complaint,” and you put in all of the information that you can.
What you can also do as well, on top of that, is call your local FBI office and let them know right away what's happened to you.
If your bank is closed, or you need further help in that sense, or you've already called your bank and you think that they're trying to help, but you're not sure, call the bank, go to IC3.gov, and call the FBI and let them know what's going on and we can try and help push this information out as fast as we can. If we can get that money back and we can stop that bad actor as well as try and find them to keep them from hitting anybody else, it's very important to go as quickly as possible in these sorts of situations.
And then a lot of if it has gone overseas; we deal a lot with Singapore and China and some other countries. They're going to require the IC 3, as they get their law enforcement engaged in those other countries. Some of that documentation is going to be needed before they'll even open the claim of that foreign bank. It's a really important step.
It sounds like a lot of steps. Again, I think that time is of the essence continues to resonate throughout of being very proactive, but then, once it is happening, that you are addressing it immediately.
I know you mentioned about buying puppies online and we all love puppies and that got someone in our audience thinking what's your advice on pages on Facebook that ask for donations. Lots of folks are asking for donations to help animals amongst many others. And we don't want to waste any money, but also don't want to become so jaded that we don't help. Can you provide any insight of what to do and how to approach those asks?
I would just be really cautious. I would want to learn a lot about what the ask is. If it's GoFundMe, there'll be a little description. I mean, it is just buyer beware. Unless it's a licensed nonprofit, I would say, try to go more with the known licensed nonprofits that you have confidence in for those donations.
Lay off GoFundMe requests that you don’t know and have no idea how the funds will be used, or what they're truly going toward, whereas legitimate nonprofits have annual reports that talk about exactly how they spend the money.
I am jaded because at some point when you work in this long enough, I think it's a personal preference. Unless you really know how those funds are being used, there's always that opportunity it won't be going to what you think it will be.
Great. And Stephanie, this question may be directed to you, but someone's asking that there used to be an email address that one could forward spam or phishing emails. Is it still worthwhile to do that or have things just gotten so out of hand and so active that it's not effective anymore for the FBI?
It is an email address that's still active, but it does get bogged down. There is just so much, especially over this last year when we went from mostly virtual to almost everything is virtual. There are just so many scams.
My best advice for everyone, and I know that Jen has said the same thing, is just don't click on anything in emails, unless it's specifically from a company that says here is your invoice that you were expecting me to send you in an email or something to that effect.
Just don't click on things and emails. Don't open up emails if you see an email address and it's something like DebbieQR154307hd. Just don't open it; don't click on links. Honestly, it's for the best that you just don't. You can forward them to that specific email address, and I'll try and get it pulled up here in a second, but it's overwhelmed and honestly, again, my best advice is just don't click on anything. Don't open emails, don't answer these phone calls and text messages as well. Do not click on any links in text messages. They're probably almost always spam unless it's from a friend, but it also could be spam too.
The next question is, if someone's notified by their HR department of possible unemployment fraud, they may have contacted the different states involved as they live in a different state. If they haven't gotten a response from either state, should they just assume that it's been noted? Is there anything else that they need to do in that particular situation?
From my perspective, I would definitely keep trying to get a hold of the state where it's originating from, but that’s about all that can be done at this point. And you just really want to be mindful of how your identity might be being used and any new accounts being open, because I think what bad actors have realized is they were able to open up all these accounts.
My concern looking out past COVID and back half of this year is now you've got this massive population that are used to making money quick through all these programs, and they're not going to necessarily just go back into normal employment. Right now there's a fervor interest in identity theft and account opening that they're going to just continue forward with, in different ways, whether that's a government program or other account openings. I think a bit of a Pandora's box has been opened through this that is going to continue for us. You just want to be really laser focused on your particular account activity.
That's great. And thinking about that and trying to be protected, we've got another unique scenario in here. Thanks, Carla, for sending this in. So sorry to hear about your sister, but she recently passed away without leaving any password information. What's the best way to be responsible to our heirs to leave them this info yet still protect it from theft? How does that work? And then how do you work through it when you actually need to access the information?
Jen, I’m going to let you have a first pass at that.
Honestly, that's such a hard one with things like this. If your sister had a will and testament where you do know who is supposed to be in charge of her estate, it's really important that you leave it to whoever's in charge of the estate to keep hold of the passwords. They need to be in charge of the information or how the bank accounts go out. You need to make sure that there is one person that holds that and have everyone work together. But for safety, if four or five different people have passwords, then you don't know when somebody is going in. And I'm sure that's where your stresses are.
Everybody can still go to them for things they need, or you can still bring them with you to the bank. You just have that one person that's holding the bulk of these passwords, usernames, and answers to the questions. And just keep it with that one person that is either in charge of the estate, most trustworthy, and has their stuff together. It's kind of a very hard situation, honestly.
Then I would recommend if you have aging parents – I just did this with my mom when my dad passed away – I'm on her accounts. It's better to actively do it before they're deceased. I remember my dad, unfortunately, had brain cancer and his mental capacity went fast. We said we don't know what accounts dad has and we're having mom get into those accounts. We had that panic moment.
And I learned from that to make sure you have a trusted person and have them legitimately on those accounts ahead of time. And then if you really have no information, you just start calling and you have to provide the death certificate. Get several copies of the death certificate because you're going to need them. And then they'll work for you to close those accounts and give you access as the estate owner. But it just takes a long time because now you're going through the estate process.
Now, to shift gears a little bit, we've talked a lot on the personal side. So what about businesses – how do you treat business owners who experience identity theft or fraud in their business accounts? Is it the same as individuals, for example, are businesses required to identify, then report the fraud within a shorter time frame as individuals? Do we have any opportunity to recover the funds? What are the nuances there? But then also, what can we do proactively in those instances as well?
Stephanie, do you want to go first?
No, you can go ahead.
You always want to be watching that Secretary of State site. We are starting to see people steal TINs and do more identity theft in small businesses, so be aware and be on the lookout for some of the same things from a personal perspective and then call in. You may have to create a whole new TIN and there could be legalities. It's how your business is structured. The aftermath is a little bit different because it's a business account, but we would want to know that. And if it's your user credentials to your cash management site, we have ways to reset those as well and make sure you only have authorized users. I would say a trend we are seeing hot right now is bad actors calling in and trying to get you to place an unauthorized user on your cash management system. They try to convince KeyBank but also businesses to add additional users. Be very cautious of who has cash management access within your tools with your banks.
It's also really important again. It is a little bit different for our businesses, as opposed to individuals, speaking from my perspective, just because with businesses, money movement is very quick. It's usually much larger. Trying to be as quick as possible with things like that is very important. For businesses, just try and be as quick as possible at identifying that.
Perfect. Well, thank you so much. I know we had a lively Q and A session. Unfortunately, we were not able to get to all of them, but please continue to follow up on social media and register for Key4Women.
Thanks to all of our panelists, Stephanie, Tammy, and Jen, today for joining us and lending your insights and best practices. I hope our audience have identified some new ways to better protect themselves, of course, against the risk of fraud and cybercriminals.
You can check out more at Key4Women Resources to help support your success at key.com/women, and we will share the recording with all of you for anyone who's missed it along with the event survey for anyone on the call that was unable to complete it and, of course, for anyone in business in the communities on the call today, that are not members of our Key4Women program. Again, please consider joining us – go to key.com/joinK4W.
Thanks again for joining. And I hope you enjoy the rest of your day. Take care.
Gain insights from fraud experts to help protect you and your business from emerging threats, including email and unemployment fraud.
In a recent live webinar, Jen Martin, head of fraud at KeyBank, and Stephanie A. Breen, FBI intelligence analyst, discussed the latest fraud trends that most commonly affect small business owners and individuals. Hear from our experts about how these scams are executed and actions you can take to help prevent a fraud attack.
About Jen Martin
Acknowledge all the qualities that you bring to the table, rather than comparing yourself to others.Jen has more than 23 years of progressive leadership experience in technology, data, analytics, and operations in criminal justice and financial services. Over the past 13 years, Jen has held several leadership roles in financial services. At SunTrust, now Truist, she served as the head of enterprise fraud. Passionate about transformational change, she delivered innovative capabilities such as real-time fraud analytics and the integration of SunTrust/BBT into Truist Enterprise Fraud Management. Additionally, she led Fraud Strategy for JP Morgan Commercial Bank, establishing a new client-focused fraud prevention team with enhanced analytics capabilities and client fraud awareness strategies. In September 2020, Jen joined KeyBank as head of enterprise Services. She is active in the fraud services industry serving on several advisory boards and as the vice chair of the Consumer Bankers Association Fraud Management Committee.
About Stephanie A. Breen
Intelligence Analyst (IA) Stephanie A Breen has worked for the FBI for five years, specializing in white collar criminal investigations. She is a graduate of Eastern Michigan University (BS & MC) where she studied psychology, business management, and marketing. She serves as a leader of the Cleveland Division Virtual Currency Working Group and Social Media Exploitation Team, and is an active member of the Cleveland Division Virtual Currency Task Force, Bankruptcy Fraud Working Group, Medical Marijuana Working Group, Social Media Cell, and the nationwide Corporate Fraud Response Team. IA Breen has represented the FBI in multiple working groups, trainings, and conferences across the US and in Europe. She is currently assigned to the White-Collar Crime squad in Cleveland.